Vermont’s New Data Privacy Law

Data brokers intrude on the privacy of millions of people by harvesting and monetizing their personal information without their knowledge or consent. Worse, many data brokers fail to securely store this sensitive information, predictably leading to data breaches (likeEquifax) that put millions of people at risk of identity theft, stalking, and other harms for years to come.

Earlier this year, Vermont responded with a new law that begins the process of regulating data brokers. It demonstrates the many opportunities for state legislators to take the lead in protecting data privacy. It also shows why Congress must not enact a weak data privacy law that preempts stronger state data privacy laws.

What Vermont’s Law Does

Vermont’s new data privacy law seeks to protect consumers from data brokers through four important mechanisms.

Transparency. Data brokers must annually register with the state. When doing so, they must disclose whether consumers may opt-out of data collection, retention, or sale, and if so, how they may do so. A data broker must also disclose whether it has a process to credential its purchasers, and its number of security breaches.

No fraudulent collection. Data brokers may not collect personal information by fraudulent means, or for the purpose of harassment or discrimination.

Free credit freezes. Credit freezes are an important way for consumers to protect themselves from the fallout of a data breach. Many businesses will not extend credit absent a report from a credit reporting agency, and a credit freeze bars these agencies from issuing a report until a consumer lifts the freeze when they actually want credit. Vermont already empowered consumers to use credit freezes to protect themselves from credit fraud. The new Vermont law bars credit agencies from charging consumers fees for this protection.

What Vermont Should Do Next

Vermont’s legislators must not rest on their laurels. Rather, they should consider three sets of improvements to their state’s data privacy laws.

“First party” data miners. The new Vermont law defines a “data broker” as a business that collects and sells personal information from consumers with whom the broker has no direct relationship. Thus, the Vermont law begins to address “third-party” data mining (that is, data mining by companies that have no direct relationship with consumers). But it does not address “first-party” data mining (that is, data mining by companies that do have a direct relationship with consumers). For example, the Vermont law does not cover a social media platform like Facebook, or a retailer like Walmart, when those companies gather information about how consumers interact with their own websites.

The Vermont Attorney General is now holding hearings regarding whether Vermont should next regulate first-party data mining (among other things). We hope Vermont will find smart, appropriately tailored ways to do so.

More rules for data brokers. Vermont should do more to protect consumers from data brokers. As EFFhasexplained, new laws should: (i) impose on data brokers a fiduciary duty towards the consumers whose data they harvest and monetize; (ii) establish a government office to assist the victims of data breaches; and (iii) ensure that victims of data breaches can seek compensation for their non-financial injuries, and not just their financial injuries.

EFF also supports a consumer’s “right to know” what personal information a data broker has gathered about them, how the broker obtained it, and to whom they sold it. Such legislation must be carefully tailored to avoid undue burdens on free speech and innovation. Under the Vermont law, however, a consumer can only learn which data brokers are operating in the state, and a few general facts about those operations, but nothing about the harvesting of the consumer’s own personal information.

Further, the Vermont law does not require any form of consumer consent for data collection or sale. Rather, it only requires data brokers to publicly disclose whether there is a way for consumers to opt-out, and if so, how. In some cases, data brokers should be required to obtain consent to collect or sell a consumer’s personal information. For example, the new Vermont law defines “personal information” to include biometrics, and no one should be allowed to collect or sell someone else’s biometrics without their informed, opt-in consent.

Stronger enforcement. The new Vermont law provides that violations of the data security requirement and the ban on fraudulent acquisition are “unfair and deceptive acts” under existing state law. These means consumers can sue violators of these two new rules. This ability to bring a private cause of action is a powerful enforcement tool, because consumers don’t have to wait for the government to hold a data broker accountable. Instead, they can do it themselves.

Unfortunately, the same does not hold true for the new Vermont rule requiring transparency from data brokers. It should, and we urge Vermont to look for ways to give consumers a way to enforce the transparency rule as well.

The Vermont Attorney General may enforce all of these rules, which is good. But it is no substitute for the empowerment of “private attorneys general” to enforce the law when an Attorney General cannot or will not do so.

EFF hopes more states will enact smart, tailored laws that protect the privacy of technology users, while steering clear of First Amendment concerns and undue burdens. State legislatures have long been known as “laboratories of democracy” and they are serving that role now.

But some tech giants aren’t happy about that, and they are trying to get Congress to pass a weak federal data privacy law that would foreclose state efforts. They are right about one thing: it would be great to have one nationwide set of protections – but not if those protections are illusory or inadequate. Over 90% of Americans feel like they have no control over their privacy. Congress should be working to give them that control, instead of letting the companies with the worst privacy track records dictate users’ legal rights.

Related Updates

The U.S. government sends a lot of emails. Like any large, modern organization, it wants to “optimize” for “user engagement” using “analytics” and “big data.” In practice, that means tracking the people it communicates with—secretly, thoroughly, and often, insecurely. Granicus is a third-party contractor that builds communication tools to help...

It is not enough for government to pass laws that protect consumers from corporations that harvest and monetize their personal data. It is also necessary for these laws to have bite, to ensure companies do not ignore them. The best way to do so is to empower ordinary consumers to...

EFF is in it for the long run, especially in the important, hard fights for your rights. One of the longest running fights in online civil liberties is over your right to have a private conversation over a digital network. Whether it’s for our intimate relationships, our healthcare, our associations...

Throughout 2018, new surveillance practices continued to erode the privacy of people in Latin America. Yet local and regional digital rights organizations continue to push back with strategic litigation, journalists and security researchers investigate to shed light on government use of malware, and local activists work tirelessly to fight overarching...

To the extent that 260-page regulations can ever be said to be “famous,” Europe’s General Data Protection Regulation (GDPR) certainly had its moment in limelight in 2018. When it came into force on May 25, it was heralded by a flurry of emails from tech companies, desperate to re-establish their...

States are often the “laboratories of democracy,” to borrow a phrase from U.S. Supreme Court Justice Louis Brandeis. They lead the way to react quickly to technological advances, establish important rights, and sometimes pass laws that serve as a template for others across the country. This year, EFF worked—and fought—alongside...

In 2018, we learned that expanded biometric surveillance is coming to an airport near you. This includes face recognition, iris scans, and fingerprints. And government agencies aren’t saying anything about how they will protect this highly sensitive information. This fall, the Transportation Security Administration (TSA) published their Biometrics...

In an era where political and corporate leaders are attacking the free press as “the enemy of the people,” it’s crucial that we recognize the truth: journalists every day are uncovering stories that protect our rights and hold those in power accountable. Meanwhile, as the media landscape shrinks, non-profits are...